TERENA TF-EMC2 WorkshopDavid Groep, 2004.11.04
http://www.eugridpma.org/
TF-EMC2 meeting, November 4 2004 - 2David Groep – [email protected]
A PKI for Grids
PKI model fits the lack of hierarchical relations between users and resources in the Grid
Users can join collaborations (VOs), that are independent of both resources and home organisations
mainly unilateral trust relations (RP/subscriber -> CA)limited mutual trust (CA->CA within PMA)
Both users and services need a credential
Revocation: of authZ via the VOs, of AuthN via the CAs
(latter only of the identity is compromised)
TF-EMC2 meeting, November 4 2004 - 3David Groep – [email protected]
The EUGridPMA
European Grid Authentication
Policy Management Authority for e-Science
Coordinates authentication for people and services for European, national, and related Grid projectsEGEE, DEISA, SEEGRID, LCG, …
PMA manages authentication guidelines policies Trust domain for research and academic grids
TF-EMC2 meeting, November 4 2004 - 4David Groep – [email protected]
Certificate Authority Coordination
Evolved from the CA Coordination Groupin DataGrid, CrossGrid, LCG, …
collection of national and regional CAs better local identity vetting national legislation
all meet or exceed minimum requirements identity checking (in-person, photo-ID) physical security (signing key protection, storage) naming (unique certificate names) revocation (updated lists, retrieval)
Clearly defined accreditation procedure
Basic tools and distribution mechanisms
TF-EMC2 meeting, November 4 2004 - 5David Groep – [email protected]
Accreditation process
Codification of procedures in a CP(S) for each CA de facto lots of copy/paste, except for vetting sections
Peer-review process for evaluation comments welcomed from all PMA members two assigned referees
In-person appearance during the review meeting
TF-EMC2 meeting, November 4 2004 - 6David Groep – [email protected]
Accredited Authorities
Everyone (almost) in Europe has a national CA
Green: CA Accredited Yellow: being
discussedOther Accredited CAs: DoEGrids (US) GridCanada ASCCG (Taiwan) ArmeSFO (Armenia) CERN Russia (HEP) FNAL Service CA (US) Israel Pakistan
TF-EMC2 meeting, November 4 2004 - 7David Groep – [email protected]
The Catch-All CAs
Project-centric “catch all” Authorities
For those left out of the rain in EGEE CNRS “catch-all” (Sophie Nicoud) coverage for all EGEE partners
For the South-East European Region regional catch-all CA
For LCG world-wide DoeGrids CA (Tony Genovese & Mike Helm, ESnet) Registration Authorities through Ian Neilson
TF-EMC2 meeting, November 4 2004 - 8David Groep – [email protected]
Distribution
RPM distribution to facilitate deployment projects validation must be done via TACAR
(or out-of-band means)
releases contain CA root cert CRL URL CA URL namespace-policy file (used by software for
enforcement) dependency information (for hierarchical PKIs)
meta-RPMs “ca_policy_eugridpma” for triggering dependencies in install software (yum/apt)
releases every ~ 4-12 weeks
TF-EMC2 meeting, November 4 2004 - 9David Groep – [email protected]
Global interoperation
PMAs collaborate bilaterally in an interoperation framework: the International Grid Federationsee www.gridpma.org
Americas PMAbeing formed
EUGridPMA
APGridPMA
TF-EMC2 meeting, November 4 2004 - 10
David Groep – [email protected]
Commonality
Common services to all European eInfrastructure EUGridPMA:
All EU Grid infrastructure FP6 programmes CAs also cover inter-organisational national projects
TERENA TACAR provides the trust validation Grid projects rely on TACAR to validate roots-of-trust
Minimum Requirements form bases of IGF Coherency in AP modelled on EUGridPMA Americas are planning to build an AMSGridPMA
TF-EMC2 meeting, November 4 2004 - 11
David Groep – [email protected]
Current topics of discussion
Continuing updates to minimum requirementsas experience growsto comply better with evolving Grid middlewareto comply with evolving industry standards
User key hygiene worries aboundCan the user be trusted with key care? (hardly…)
Complexity for users, servicesthe server-certificate service!
On-line CA methodologiesGuidelines and Minimum Requirements
Site-local solutions (SIPS) Active Certificate Stores (credential
repositories, escrow services)CA-generated key pairs and ease-of-use